How to autodetect infected or spammer users and temporary block the SMTP output

From MikroTik Wiki
Revision as of 02:50, 11 August 2009 by Netinthewest (talk | contribs)
Jump to: navigation, search

Here can see in the solution which i invented and work excellent to autodetect and block SMTP viruses or spammers!

Only create these 2 rules in firewall forward: 

/ip firewall filter

add chain=forward protocol=tcp dst-port=25 src-address-list=spammer
action=drop comment="BLOCK SPAMMERS OR INFECTED USERS"

add chain=forward protocol=tcp dst-port=25 connection-limit=30,32 limit=50,5 action=add-src-to-address-list
address-list=spammer address-list-timeout=1d comment="Detect and add-list SMTP virus or spammers"

When an infected user is autodetected with a virus worm or doing spam, the user is added to a spammer list and block the STMP outgoing by 1 day, all the values can be adjusted for different networks types or at your convenience

Antispam-rules.jpg


Logging detected users

Next, to display a red Log each 30 minutes listing the detected infected or spammers users using hotspot, add the next script: 

/system script
add name="spammers" source=":log error \"----------Users detected like \
    SPAMMERS -------------\";
\n:foreach i in \[/ip firewall address-list find \
    list=spammer\] do={:set usser \[/ip firewall address-list get \$i \
    address\];
\n:foreach j in=\[/ip hotspot active find address=\$usser\] \
    do={:set ip \[/ip hotspot active get \$j user\];
\n:log error \$ip;
\n:log \
    error \$usser} };" policy=ftp,read,write,policy,test,winbox

Logging-spammers.jpg

[Alessio Garavano]


DesertAdmin correction to the above rule set. 

/ip firewall filter
add action=drop chain=virus comment="Drop Spammer" disabled=no dst-port=25 protocol=tcp src-address-list=spammer
add action=add-src-to-address-list address-list=spammer address-list-timeout=1d chain=virus comment="add to spammer list" connection-limit=30,32 disabled=no dst-port=25 limit=50,5 protocol=tcp

Remove the following line if you already have a virus chain if not added it in. 

add action=jump chain=forward comment="jump to the virus chain" disabled=no jump-target=virus

Also remember to move newly updated rules logically above your current jump forward rule. I like to keep my rules in orders of ports.

-Sincerely, DesertAdmin

Netinthewest says. (My first ever Mikrotik script) I got e-mail blacklisted so had to do something fast. I used DesertAdmins solution and it worked great. Took a while though to work out logging from Alessio's script.(screenshots were great) Turns out I needed to create the variable first before I could use it to log the spammers IP. I called it "spamip" This version works straight from the tin. 

:global spamip;
:log error "----------Users detected like SPAMMERS -------------";
:foreach i in [/ip firewall address-list find list=spammer] do={:set spamip [/ip firewall address-list get $i address];
:log error $spamip};

Thanks guys! You got me out of trouble.

Retrieved from "https://wiki.mikrotik.com/index.php?title=How_to_autodetect_infected_or_spammer_users_and_temporary_block_the_SMTP_output&oldid=13304"